Amazon's cloud attacks more than doubled in last 6 months

Amazon Web Services' share of cloud-hosted malware atacks has more than doubled in the last six
months, and is taking the IT industry by surprise. The general percecption is that AWS isn't ready
for prime time.

That's according to NTT subsidiary Solutionary, which demonstrated its findings in its Q2
2014 Security Engineering Research Team (SERT) report published July 15 of this week.

Internet security researchers said that, out of the top ten ISPs and hosting providers surveyed, the proportion of
malware-hosting websites served from Amazon infrastructure more than doubled from 16 percent in Q4
2013 to 41 percent in Q2 2014.

During the same period, hacker attacks on some European hosting companies grew from 10 to 13 percent; from 9 to 12 percent
on Akamai; and from 6 to 9 percent on Google.

And this isn't the first time that Amazon's Cloud has been used by miscreants to host large amounts
of malware-– Solutionary made the same claims in its Q4 2013 SERT file, and Kaspersky researchers discovered
in 2011 that Amazon Web Services was playing host to the notorious SpyEye malware.

Part of the reason must be Amazon's scale and popularity as a cloud service, along with its Bezos-backed
low prices. This means any wannabe hacker can buy server images from crooks and deploy them on AWS to
build a network of malware-spreading websites.

"When you start going into the underground forums, they don't just sell a Zeus malware package,
they'll sell you an entire command-and-control infrastructure and a phishing website to set up, and
a drive-by-download website to set up.

"You go to them and it's CaaS (crime-as-a-service)" he explained. "It's truly script kiddies on a
major scale."

Another reason why large providers may be having trouble stomping out amateur hackers on their service
is that the criminals are moving rapidly between different clouds, Kahl said. "A lot of the malware
operators bounce in between hosting providers, internet service providers and proxy hosts in different
countries, and that's only part of the issue."

Worse, digital fingerprints of the viruses, Trojans and other software bugs hosted in public clouds
are known and circulated in the infosec world, and can be used to identify malicious binaries, Kahl
added.

"The question is, can these providers put the infrastructure in to scan everything?" he asked. Amazon
and Google may be scrimping when it comes to investing in the tools needed to efficiently check the
signatures of hosted files against databases of known evil binaries, he said.

"When we're talking about someone as big as Amazon or Google it would be a significant investment
both in architecture and in time to go through and monitor everything as it's being put up, regular
scans – to detect everything and take down these groups," the researcher said.

However, some companies are making good moves, such as Microsoft which has a number of malware-splatting
initiatives.

Similarly, Google's new Project Zero team is tasked with hunting down security vulnerabilities in software
before they are discovered and capitalized on by crooks.

As for Amazon, a spokesperson told us-- "AWS employs a number of mitigation techniques, both manual
and automated, to prevent such misuse of these services.

"We have also added automatic systems in place that detect and block some attacks before they leave
our infrastructure. Our terms of usage are clear and when we find misuse we take action quickly
and shut it down. Companies that do see malicious activity originating from AWS should contact us
immediately," he added.

In other internet security news

The U.S. National Institute of Standards and Technology (NIST) has been asked to hire more cryptography
experts in order that it can confidently tell the NSA to abandon the idea.

A report from NIST's Visiting Committee on Advanced Technology (VCAT), which scrutinizes and
advises the institute has criticized NIST for being too dependant on the NSA's cryptography expertise
(or lack thereof).

VCAT cited the adoption and backing of the use of the buggy Dual EC DRBG algorithm, an NSA-sanctioned
random number generator that was later found to be flawed.

To be sure, random numbers are crucial in cryptography, as they thwart an eavesdropper attempting
to decrypt intercepted enciphered data.

The report was launched in the wake of allegations from whistleblower Edward Snowden that the NSA
deliberately weakened Dual EC DRBG and other algorithms for surveillance purposes.

Despite having been warned about those insecurities several years ago, the report also reveals that
NIST – which is part of the U.S. Department of Commerce – relied heavily on input from the NSA in
maintaining the security standard.

VCAT members believe that to guard itself from such scandals in the future, NIST will need to become
more transparent and better engage with the security community as a whole.

According to the VCAT report, a lack of qualified personnel was a key shortfall for the NIST. Without
enough experts on hand, the institute was unable to spot and address the security vulnerabilities in the Dual
EC DRBG and the SP 800-90 standard.

To remedy the problem, the steering committee is recommending that NIST hire additional staff
versed in cryptography as well as reaching out to academic institutions and security vendors when
building and analyzing encryption standards.

Additionally, it was also determined that NIST will need to sever its ties with the NSA for good.
"NIST may seek the advice of the NSA on cryptographic matters but it must be in a position to assess
it and reject it when warranted," the report suggests.

"This may be accomplished by NIST itself or by engaging the cryptographic community during the development
and review of any particular standard," the report added.

And the report goes on to suggest other transparency measures as well, including the utilization of open
competitions to build new standards and maintaining better documentation on how standards are developed.

NIST added that it would also continue to study the advisory board's findings ahead of releasing a
new cryptographic standards report and some new guidelines regarding the development process by the end
of 2014.

In other internet security news

Google is warning its users that bogus SSL certificates have been issued by India's National
Information Centre (NIC).

Those certificates can be used by servers to masquerade as legitimate Google websites when they're not, and
then eavesdrop or tamper with users' encrypted communications.

The internet connection would appear to be secure when in fact it's not. According Google's security
team, it noticed unauthorized certificates for several Google domains that popped up last Wednesday and
then traced them back to India's NIC.

What's troubling about this is that the issuer holds several intermediate CA certificates
that are trusted by the Indian Controller of Certifying Authorities (India CCA) and also some Western
companies.

"The India CCA certificates are included in the Microsoft Root Store and thus are trusted by
the vast majority of programs running on Windows, including Internet Explorer and Chrome. Firefox
is not affected because it uses its own root store that doesn't include these certificates," said
Google security engineer Adam Langley.

"However, we are not aware of any other root stores that include the India CCA certificates, thus
Chrome on other operating systems, Chrome OS, Android, iOS and OS X are not affected. Additionally,
Chrome on Windows would not have accepted the certificates for Google sites because of public-key pinning,
although mis-issued certificates for other sites may exist," Langley added.

Google engineers alerted both Indian agencies and Microsoft about the security issue, and
the bogus certificates were revoked a day later. In the meantime, Google has revoked all the certificates
using Chrome's CRL Set function and says its products are in the clear.

It also appears that Microsoft users are now covered. "We are aware of the mis-issued third-party
certificates and we have not detected any of the certificates being issued against Microsoft domains,"
a Microsoft spokesperson said.

"We are taking all the necessary steps to help ensure that our customers remain protected at all times."

The India CCA is now running a full investigation to determine exactly what happened to lead to the
certificates being issued, but it's not the first time that certification authorities have either
been tricked into issuing bogus certificates, or hacked in a manner to achieve that goal.

In other internet security news

According to military sources from South Korea, North Korea has doubled the number of government
hackers it employs since mid-2012.

The allegations claim that no less than 5900 elite personnel were employed in Pyongyang's hacking
unit, up from 3000 at the beginning of 2012.

The said hackers had their crosshairs firmly fixed on Seoul but operate from offices in China,
the source told the Yonhap News Agency.

"North Korea operates a hacking unit under its General Bureau of Reconnaissance, which is
home to some 1200 professional hackers," the source told the agency.

The hackers developed and foisted malware against South Korean banks, media websites, thegovernment
and defence agencies during the employment surge and were fended off by a 900 strong South Korean
security blue team.

Last year, South Korea planned to train 5000 security people to combat attacks from the North but
it was unclear if these personnel have yet been trained for the task.

Pyongyang denied launching attacks and accused Seoul of fueling diplomatic tensions. The
source said that the North had more "elite" hackers than the United States with 900, and Japan
housing just 90.

Pyongyang trained 100 hackers a year through Mirim and Moranbong universities, said to be run by
the Government's Operations Department that spearheaded cyber war efforts.

Hackers were divided up into 600 strong brigades taught by Russian professors from the Frunze
Military Academy, North Korean defector Jang Se-yul told the popular Seoul Chosun newspaper in 2011.

Intriguingly, the same source said in prior years that a lack of local facilities meant hackers
had to be taught in faraway locations.

Last year, North Korea was blamed for distributed denial of service attacks against government
agencies including the Presidential Blue House and media companies.

It followed much larger attacks in March that year infecting banks, insurance firms and broadcasters
with malware that permanently crashed computers.

In other internet security news

In a post NSA-Edward Snowden era, a team of security experts have teamed up to create a convenient internet messenger (IM) client
designed especially for whistleblowers. And yes, Snowden himself would be proud.

The?'invisible.im project' promises an instant messenger app that leaves no trace. The
team behind the project include Metasploit Founder HD Moore and noted expert The Grugq.

To be sure, invisible.im?is primarily geared towards serving the stringent anonymity needs of
whistleblowers, as the project website explains.

The invisible.im project was established to develop an instant messenger and file transfer
application that leaves virtually no evidence of conversations or file transfers having occurred.

The primary use case for this technology is for whistleblowers and media sources who wish to remain
anonymous when communicating with the press or other organizations.

Still in its early development stage, the project is looking for developers to port its concept
to various platforms-- Windows, OS X and Linux.

It also wants software and security experts capable of hooking the software into the darknet,
specifically the i2p anonymisation network. It is also very keen to work with developers who are
knowledgable about Tor.

SecureDrop and StrongBox are a good approach for large media organization such as the New York Times
but are complex and require secure supporting infrastructure. The?invisible.im?project aims to
plug that gap with technology an instant message and file transfer client that leaves as small
a metadata trail as possible.

TorChat offers anonymity but still requires a registered IM account with an IM provider like
AOL, Yahoo or Microsoft that inevitably leaks metadata sooner or later.